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Abstract. We present a size-aware type system for first-order shapely function defini- 
tions. Here, a function definition is called shapely when the size of the result is determined 
exactly by a polynomial in the sizes of the arguments. Examples of shapely function defi- 
nitions may be implementations of matrix multiplication and the Cartesian product of two 
lists. 

The type system is proved to be sound w.r.t. the operational semantics of the language. 
The type checking problem is shown to be undecidable in general. We define a natural 
syntactic restriction such that the type checking becomes decidable, even though size 
polynomials are not necessarily linear or monotonic. 

Furthermore, we have shown that the type-inference problem is at least semi-decidable 
(under this restriction). We have implemented a procedure that combines run-time testing 
and type-checking to automatically obtain size dependencies. It terminates on total typable 
function definitions. 
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1. Introduction 

We explore typing support for checking size dependencies for shapely first-order function 
definitions (functions for short). The shapeUness of these functions Ues in the fact that the 
size of the result is a polynomial in terms of the arguments' sizes. 

1.1. Variety of resource analysis techniques. This research is a part of the Amortised 
Heap Space Usage Analysis (AHA) project |vEShvK07] . Estimating heap consumption is an 
active research area as it becomes more and more of an issue in many applications, including 
programming for small devices, e.g. smart cards, mobile phones, embedded systems and 
distributed computing. 

Amortization is a promising technique to obtain accurate bounds of resource consump- 
tion and gain. An amortised estimate of a resource does not target a single operation but a 
sequence of operations. One assigns some amortised cost to an operation. This amortised 
cost may be higher or lower than the operation's actual cost. For the sequence considered, 
it is important that its overall amortised cost covers its overall actual cost. An amortised 
cost of the sequence lies between its actual cost and the simple multiplication of the worst- 
case of one operation by the length of the sequence. An amortised cost of the sequence is 
in many cases easier to compute than its actual cost and it is obviously better than the 
worst-case estimate. 

Combining amortization with type theory allows to infer linear heap-consumption 
bounds for functional programs with explicit memory deallocation [HofJo stO.S]. The AHA 
project aims to adapt this method for non-linear bounds within (lazy) functional programs 
and transfer the results to the object-oriented programming. Contrary to linear amortised 
bounds, to obtain non- linear heap estimates one does need to know sizes of structures that 
takes part in computation, see, for instance [vEShvKOT] . 

The AHA project seems to be part of an emerging trend since a growing number of 
works are addressing resource analysis. Here we mention some of them. 

In [AmZilj the authors develop new method to statically (polynomially) bound the 
resources needed for the execution of systems of concurrent threads. The method gener- 
alises an approach designed for first-order functional languages that relies on a combination 
of standard termination techniques for term rewriting systems and an analysis of the size 
of the computed values based on the notion of a polynomial quasi-interpretation. Quasi- 
interpretations were applied to size analysis firstly in |BonMarMoy05b] . In |AvMoSch08] 
the authors describe a fully automated tool that implements a few techniques that directly 
classify run-time complexity (i.e. techniques that use the number of rewrite steps as com- 
plexity measure), including polynomial quasi-interpretations. 

Several groups have studied programming languages with implicit computational com- 
plexity (ICC) properties. This line of research is motivated both by the perspective of 
automated complexity analysis, and by foundational goals, in particular to give natural 
characterisations of complexity classes, like PTIME or PSPACE. In |Gir92| characterisa- 
tion of PTIME is given in terms of bounded linear logic. In GabMa rRonOS] one proposes 
a characterization of PSPACE by means of an extension of (soft affine) typed lambda cal- 
culus. For this extension, the authors design a call-by-name evaluation machine in order 
to compute programs in polynomial space. In [AtBailTerOT] one addresses the problem of 
typing lambda-terms in a variant of second-order light linear logic. The authors give a 
procedure which, starting with a term typed in system F, determines whether it is typable 
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in the logic. It is shown that the procedure can be run in time polynomial in the size of the 
original Church typed system F term. 

Resource analysis may be performed within a Proof Carrying Code framework. In 
[AsMcKOB] one introduces the notion of a resource policy for mobile code to be run on 
smart devices. Such a resource policy is integrated in a proof-carrying code architecture. 
Two forms of policy are used: guaranteed policies which come with proofs and target policies 
which describe limits of the device. 

In |AlArGenPuebZan07| one describes resource consumption for Java bytecode by 
means of Cost Equation Systems (CESs), which are similar to, but more general than 
recurrence equations. CESs express the cost of a program in terms of the size of its in- 
put data. In a further step, a closed form (i.e., non-recursive) solution or upper bound can 
sometimes be found by using existing Computer Algebra Systems, such as Maple and Math- 
ematica. This work is continued by the authors in [AlArGenPuebOS] . where mechanisms 
of constructing solutions of CESs and upper bounds are studied closely. They consider 
monotonic cost expressions only. 

In [BenOl] the author describes the Automated Complexity Analysis Prototype (ACAp) 
system for automated time analysis of functional programs. Symbolic evaluation of recursive 
programs generates systems of multi- variable difference equations, which are solved using 
Mathematica. 

In [GuMeCh09j the authors describe a technique for computing symbolic bounds on 
the number of statements a procedure executes in terms of its inputs and user defined 
size functions. The technique is based on multiple counter instrumentation that allows to 
compute linear bounds individually for each counter. The bounds on these counters are 
then composed to generate total bounds that are non-linear and disjunctive. 

1.2. Exploring size dependencies. In this paper we restrict our attention to a language 
with polymorphic lists as the only data-type. For such a language, this paper develops a 
size-aware type system for which we define a fully automatic type checking and inference 
procedure. 

A typical example of a shapely function in this language is cprod that computes the 
Cartesian product of two sets, stored as lists. It is given below. The auxiliary function 
pairs creates pairs of a single value and the elements of a list. To get a Cartesian product 
the function cprod does this for all elements from the first list separately and appends the 
resulting intermediate lists. Furthermore, the function definition of append is assumed: 

cprod(/i,Z2) = match li with | nil =^ nil 

I con5{hd,tl) ^ append(pairs(/id, ^2), cprod(i/, ^2)) 

where 

pairs(2;,Z) = match I with | nil ^ nil 

I cons{hd, tl) =^ let I' = cons(a;, cons(/ic?, nil)) 
in cons(Z', pairs(a;, tl)) 

Given two lists, for instance [1, 2, 3] and [4, 5], it returns the list with all pairs 
created by taking one element from the first list and one element from the second list: 
[[1, 4], [1, 5], [2, 4], [2, 5], [3, 4], [3, 5]]. Hence, given two lists of length n and m, it always 
returns a list of length nm containing pairs. This is expressed by the type L„(a) x \-m{(y) — > 
Ln*m(L2(a))- 
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Shapeliness is restrictive, but it is an important foundational step. It makes type 
checking decidable in the non-linear case and it allows to infer types "out-of-the-box" , since 
experimental points are positioned exactly on the graph of the polynomial. Exact sizes 
will be used in future work to derive lower/upper bounds on the output sizes. We need 
such bounds for investigating amortised resource bounds in the AHA project. Nonlinear 
amortised resource consumption relies on the size of input data, and its gain is calculated 
based on the size of output. 

In this paper our only concern is in sizes of input and output. For instance, the time 
and space complexity of a function definition with a polynomial input-output size depen- 
dency may exceed polynomial space and time consumption due to internal structures and 
computations. 

1.3. Related work on size analysis. Information about input-output size dependencies 
is applied to time and space analysis and optimization, because run time and heap-space 
consumption obviously depend on the sizes of the data structures involved in the compu- 
tations. Knowledge of the exact size of data structures can be used to improve heap space 
analysis for expressions with destructive pattern matching. Amortised heap space analysis 
has been developed for linear bounds by Hofmann and Jost [Hof Jost03] . Precise knowl- 
edge of sizes is required to extend this approach to non-linear bounds. Another application 
of exact size information is load distribution for parallel computation. For instance, size 
information helps to distribute a storage effectively and to safely store vector fragments 
|Chat9nj . 

The analysis of (exact) input-output size dependencies of functions itself has been ex- 
plored in a series of works. Some interesting work on shape analysis has been done by Jay 
and Sekanina [JaySekOT] . In this work, a shapely program expression is translated into a 
corresponding abstract program expression over sizes. Thus, the dependency of the result 
size on the argument sizes has the form of a program expression. However, deriving an 
arithmetic function from it is beyond the scope of their work. 

Functional dependencies of sizes in a recurrent form may be derived via program anal- 
ysis and transformation, as in the work of Herrmann and Lengauer [HerLenOlj . or through 
a type inference procedure, as presented by Vasconcelos and Hammond [VasHamOS] . Both 
results can be applied to non-shapely functions, higher-order functions and non-linear size 
expressions. However, solving the recurrence equations to obtain a closed- form solution is 
left as an open problem for external solvers. In the second paper monotonic bounds are 
studied. 

To our knowledge, the only work yielding closed-form solutions for size dependencies 
is limited to monotonic dependencies. For instance, in the well-known work of Pareto 
[Par98] . where non-strict sized types are used to prove termination, monotonic linear upper 
bounds are inferred. There linearity is a sufficient condition for the type checking procedure 
to be decidable. In the series of works on polynomial quasi- |BonMarMoy05b] and sup- 
interpretations [MarPech] one studies max-polynomial upper bounds. The checking and 
inference rely on real arithmetic. In general, (inference) synthesis procedures are exponential 
w.r.t. the size of a program. For multilinear polynomials in max-plus-algebia it is shown 
to be of polynomial complexity [Am05j . 

Our approach differs two-fold. Firstly, quasi-interpretations give monotonic bounds. 
With non-monotonic size dependencies polynomial quasi-interpretations may lead to signif- 
icant over-estimations. Secondly, to get exact bounds we use rational arithmetic instead of 
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real arithmetic. Our motivation for this choice hes in the fact that one should use decidabil- 
ity procedures in reals with care, if one applies them to integers or naturals. For instance, 
< holds in naturals, but not in reals, since it does not hold on < a; < 1. 
The approaches summarized in the previous paragraphs either leave the (possibly un- 
decidable) solving of recurrences as a problem external to their approach, or are limited to 
monotonic dependencies. 

1.4. Content of the paper. In this work, we go beyond monotonicity and linearity and 
consider a type checking procedure for a first-order functional programming language (sec- 
tion [21) with polynomial size dependencies (section [3]) . 

In subsection 13.11 we define zero-order types and their set-theoretic semantics. In sub- 
sections 13.21 and 13.31 we define first-order types and give typing rules respectively. The 
soundness of type system w.r.t. the operational semantics of the language is studied in 
subsection 13.41 The type system is not complete in the class of all shapely functions, and 
no such complete system exists (subsection 13. 5p . 

In section |4] we show that type checking is reduced to the entailment checking over 
Diophantine equations. Type checking is shown to be undecidable in general (subsection 
14. 2p . However, type-checking is decidable under certain syntactic condition for function 
bodies (subsection 14. 3p . 

We define in detail a method for type inference in section [5l It terminates on a non- 
trivial class of shapely functions. It does not terminate when either the function under 
consideration does not terminate, or it is not shapely, or its correct size dependency is 
rejected by the type-checker due type-system's incompleteness. 

Finally, in section [6] we overview the results and discuss further work. 

2. Language 

The typing system is designed for a first-order functional language over integers and 
(polymorphic) lists. 

The syntax of language expressions is defined by the following grammar (the example 
in the introduction used a sugared version of this syntax) : 

Basic b ::= c | x binop y | nil | cons(2;, /) | /(zi, . . . , 2;„) 
Expr e ::= b 

I let z = 6 in ei 

I if X then ei else 62 

I nnatch / with 1 nil =^ ei 

1 COns(z, I') 62 

I letfun f{zi, ... ,Zn) = ei in 62 
I letextern f{zi, . . . , Zn) in ei 

where c ranges over integer constants, z, x, y, I denote zero-order program variables {x and 
y range over integer variables, I possibly decorated with sub- ans superscripts, ranges over 
lists and z ranges over program variables when their types are not relevant), binop is one of 
the four integer binary operations: +, — , div, mod, and / denotes a function name. 

The syntax distinguishes between zero-order let-binding of variables and first-order 
letfun-binding of functions. In a function body, the only free program variables that may 
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occur are its parameters: FV{ei) C {zi,...,z„}. The operational semantics is standard, 
therefore the definition is postponed until it is used to prove soundness (section 13. 4p . 

We prohibit head-nested let-expressions and restrict sub-expressions in function calls 
to variables to make type-checking straightforward. Program expressions of a general form 
may be equivalently transformed to expressions of this form. It is useful to think of the 
presented language as an intermediate language. 

For practical reasons and in order to support modularity, we introduce a letextern 
declaration, which makes it possible to call functions implemented in other modules that 
may be defined in other languages. 



3. Type System 

We consider a type system, constituted from zero- and first-order types, corresponding 
typing rules for program constructs and Peano arithmetic extended to rational numbers as 
(classes of equivalence of) pairs of integers, rational addition and multiplicatior£|. 



3.1. Zero-order types and their semantics. Sized types are derived using a type and 
effect system in which types are annotated with size expressions. Size expressions are 
polynomials representing lengths of finite lists and arithmetic operations over these lengths: 



SizeExpr p ::= Q\n\p + p\ p — p\p*p 

where Q denotes rational numbers, and n, possibly decorated with sub- and superscripts, 
denotes a size variable, which stands for any concrete size (natural number). For any natural 
number k, denotes the /c-fold product n * . . . * n. 

Size expressions are rational polynomials that map natural numbers into natural num- 

bers. For instance, the polynomial p{n) = ^ represents the size dependency of the 

function progression: 

progression (Z) = match I with | nil =^ nil 

I cons{hd,tl) =^ append(progression(i/), I) 

For example, it maps [1, 2, 3] on [3, 2, 3, 1, 2, 3]. The output size dependency is given by 
the arithmetic progression + 1+ ... +(n — l)+n, where n is the size of an input. This 
explains the name of the function |vKShvE07| . 

Zero-order types are assigned to program values, which are interpreted as integer num- 
bers and finite lists. A list type is annotated with a size expression that represents the 
length of the list: 

Types T ::= Int | a \ Lp(T) 

where a is a type variable. This structure entails that if the elements of a list are lists 
themselves, then all these element-lists must be of the same size. Thus, instead of lists 
it would be more precise to talk about matrix-like structures. For instance, the type 
L6(L2(lnt)) is given to a list whose elements are all lists of exactly two integers, such 
as [[1,4], [1,5], [2, 4], [2, 5], [3, 4], [3, 5]]. 



Rational addition is defined as — + — = — -- — . Rationals with their addition and multiplication form 

b a bd 

a field, more precisely a field of integer fractions. 
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It is easy to see that for all m the types Lo(Lm(lnt)) are equal, because they represent 
the singleton containing []. The same holds for Lo(L^(a)). This induces a natural equiv- 
alence relation on types. For instance Lg(Lo(Lp(a))) = Lg(Lo(Lp/(a))). The equivalence 
expresses the fact that the size of a list is not relevant when such a list does not exist, 
because an outer list is empty. Now, we define formally an entailment D \- t = t', where D 
is a conjunction of equations between polynomials. The definition is inductive on r. The 
entailment D \- t = t' holds if and only if 

• r = r' = Int or r = r' = a for some type variable a; 

• r = Lp(r") and r' = Lp' (r'") have the same underlying type (i.e. the type with annotations 
omitted) and 

(1) D \- p = p' , and 

(2) D h p = or D h r" = t'", 

with D \- p = q being an arithmetical entailment, meaning V n.D{n) p{n) = q{n), where 
n is the collection of all size variables taken from D, q and p. For instance, 

TO = h \-n+rn{a) = L„(a) and 

TO-1 = 0, n = OI- U+^_i(L2(q;)) = U(L3(q;)) 

hold, whereas n = h L„_|_m_i(L2(a)) = Lm^i{L^{a)) does not. 

The sets FV{t) and FVS{t) of the free type and size variables of a type r are defined 
inductively in the obvious way. Note, that Fy5(Lo(L^(a))) = 0, since the type is equivalent 
to Lo(Lo(a)). 

Zero-order types without size or type variables are ground types: 

GTypes r* ::= r such that FVS{t) = A FV{t) = 

In our semantic model a heap is essentially a collection of locations i that can store list 
elements. A location is the address of a cons-cell each consisting of a hd-field, which stores 
the value of a list clement, and a tl-field, which contains the location of the next cons-cell 
of the list (or the NULL address). Formally, a program value is either an integer constant, a 
location, or the NULL-address. A heap is a finite partial mapping from locations and fields 
to program values: 

Val V ::= c \ i\ NULL £ e Loc c G Int 

Hp h : Loc^ {hd,tl} ^ Val 
We will write h.i.hd and h.i.tl for the results of applications h i hd and h i tl, which 
denote the values stored in the heap h at the location i at fields hd and tl, respectively. 
Let h[i.hd := v^, i.tl := vt] denote the heap equal to h everywhere but in £, which at the 
hd-field of £ gets value Vh and at the tl-field of i gets value vt- 

The semantics w of a program value is a set-theoretic interpretation with respect to a 
specific heap h and a ground type r. It is given via the four-place relation v |=^ w, where 
integer constants interprets themselves, and locations are interpreted as non-cyclic lists: 

C Nint ^ 

NULLH[:„(..) □ 

£ |=f / .^ w;hd •• "i^ti iff n > 1,^ E domih)^ 
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where n* is a natural constant and /i[dom(/i)\{£} denotes the heap equal to h everywhere 
except for £, where it is undefined. 

3.2. First-order types. First-order types are assigned to shapely functions over values of 
a zero-order type. Let t° denote a zero-order type of which the annotations are all size 
variables. First-order types are then defined by: 



FTypes ::= x . . . x r ° ^ t„h 



1 



such that FVS{Tn+i) Q FVS{t^) U • • • U FVS{t°) 

For instance, one expects that the following function definitions (in the sugared syntajfl) 
will be well-typed in the system: 

append : U(a) x Lmia) U+m(a) 
append(/i, I2) = match li with | nil =^ I2 

I cons{hd,tl) =^ cons(/id, append(i/, Z2)) 

pairs : a x L„(a) U(L2(a)) 
pairs(a;,/) = match / with | nil =^ nil 

I cons{hd, tl) =^ let = cons(x, cons(/id, nil)) 
in cons(/', pairs(x, tl)) 

cprod : U(a) x Lm(a) ln*m{^2{a)) 
cprod(/i, /2)match li with | nil =^ nil 

I cons{hd,tl) ^ append(pairs(/i(i, Z2), cprod(fZ, Z2)) 

sqdiff : U(a) x Lm(a) L(„2+„2_2*„*m)(L2(a)) 
sqdifF(/i, I2) = match li with | nil =^> cprod(/2, h) 

I cons{hd, tl) =^ match I2 with | nil ^ cprod(/i, li) 

I cons(/id', tl') =^ sqdiff {tl, tl') 

For total functions the following condition is necessary: for all instantiations * of size 
variables with themselves or zeros, the inclusion FVS{*Tn-^-i) C FVS{*t°) U • • • U FVS{*t°) 
holds. Consider, for instance, the first-order type L„(Lm(a)) Lm(L„(a)), where on nil in- 
put, i.e. with n = 0, the input type degenerates to Lo(Lm(a)) = Lo(Lo(a)) but the outer list 
of the output must have length m. This m becomes unknown being "hidden" in Lo(Lm(a)). 
Thus, this first-order type may be accepted without the condition above, once a function 
of this type is partial and undefined on empty lists. Since the type L„(Lm(a)) Lm(Ln(a)) 
may be assigned to an implementation of n x m-matrix transposition, undefinedness on nil 
may be interpreted as an exception "cannot transpose an empty matrix" . 

A context F is a mapping from zero-order variables to zero-order types. A signature 
S is a mapping from function names to first-order types. The definition of FVS{—) is 
straightforwardly extended to contexts. 



In the sugared syntax we use f{g{z)) for "let z' = g{z) in /{z')'' 
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3.3. Typing rules. A typing judgement is a relation of the form D; T hs e:r, where D is 
a conjunction of equations between polynomials. D is used to keep track of size information. 
In the current language, the only place where size information is available is in the nil-branch 
of the match-rule. The signature S contains the type assumptions for the functions that 
are called in the expression under consideration. The typing judgement relation is defined 
by the following rules: 

ICONST ^ — | n IBlNOP 



D; r l-sc:Int D; F, x:Int, y:Int hs x binopyiint 

D\-p = 

Nil J^^r t _ 



D; r l-snil:Lp(r) D- T, z:t \-t.z:t 

D'r p = p' + 1 



D; r, hd-.T, tl:lp>{T) cons{hd,tl):Lp{T) 



Cons 



D; r, x: Int et :r 

D; r, x: Int hs ef-T 

D; F, xilnt hs if a; then else e/ :t 

z ^ dom{r) 
D; r l-E ei-.Tz 
D; r, z:Tz Hs e2:r 

D; r hs let z = ei in e2:T 



If 



p = 0, D; r, l:lp{T') hseniiir 
hd,tl ^ dom{T) D; T,hd:T', Z:Lp(r'), iZ:Lp_i(r') hsecons:^ 

]VI AT C H 

D; r, l-.Lpir') hs match I with | nil =^ Cnii :t 

I COns{hd, tl) =^ ficons 

The rule LetFun demands that all letfun-defined functions, including recursive ones, 
must be in the domain of the signature, and the corresponding first-order type must pass 
type-checking: 

= X • • • X r° ^ T„+i 

True; zi : r{' , . . . , 2;„ : r° hs ei : Tn+i 

D; r He 62 : t' 

n u I ^-f — T( ^ '■ 1 LetFun 

U; 1 hs lettun /(zi, . . . , z„j = ei in 62 :t 

However, in practice we do not prohibit calls to functions that are not defined via 
letfun. If a function coming from a trusty external source together with its first-order type 
is declared via letextern, one applies the LetExtern rule: 

= ri° X ■ ■ ■ X T° ^ Tn+l 

D-V hs e : r' 

- LetExtern 



D] r hs letextern /(zi, z„) in e:r' 

When proving soundness we require all functions to be defined via letfun within an expression 
under consideration. 
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In the FuNApp-rule, Q computes the substitution * from its first argument (whose 
size expressions are always variables since they are taken from the first-order signature of 
the function) to its second argument, and the set C of equations over size expressions from 
Ti' X • • • X r^. The set C contains p = p' if and only if the expressions p and p' are substituted 
to the same size variable. For instance, if a function dotprod : Lm(lnt) x Lm(lnt) — > Int 
is called with actual parameters of the types L„+„/4.2(lnt) and L„+3(lnt), then C contains 
the equation n + n' + 2 = n + 3. 



(*,C) = e(rf x...XT°,ri'x...xr„') 
E(/) = rf X ... XT°^r„+i D h <+i = *(t„+i) DhC 



FunApp 



D; r, zi : Ti', . . . , Zn : t„' hs f{zi, Zfc) :t„+i' 

In the example with the call of dotprod the equation n + n' + 2 = n + 3 holds if D contains 
n' - 1 = 0. 

As another example of the FuNApp-rule consider the recursive call append(iZ, I2) in the 
definition of append: 

S(append) = U(a) x lm{a) \-n+m{a) 

h T = *{Ln+m{a)) 

FunApp 



tl:ln-iia), h-.lmia) append(iZ, 12):t 
Here 0(L„(a;) x Lm(a), L„„i(a;) x Lm(a)) = (*, 0) with *{n) = n — 1, *{m) = m. Thus, 
r = *(U+m(a)) = U-i+m(a)- 

The type system needs no conditions on non-negativity of size expressions. Size ex- 
pressions in types of meaningful data structures are always non- negative. The soundness 
of the type system ensures that this property is preserved throughout (the evaluation of) a 
well- typed expression. 

See subsection 14.11 for examples of type checking in detail. 



3.4. Soundness of the type system. Informally, soundness of the type system ensures 
that "well-typed programs will not go wrong" . This means that if function arguments have 
meaningful values according to their types then the result will have a meaningful value of 
the output type. In section 13. H we formalized the notion of a meaningful value using a 
heap-aware semantics of types. Here we give an operational semantics of the language. 

We introduce a frame store as a mapping from program variables to program values. 
This mapping is maintained when a function body is evaluated. Before evaluation of the 
function body starts, the store contains only the actual parameters of the function. During 
evaluation, the store is extended with the variables introduced by pattern matching or let- 
constructs. These variables are eventually bound to the actual parameters, thus there is 
no access beyond the current frame. Formally, a frame store is a finite partial map from 
variables to values: 



Store s : ExpVar Val 
Using heaps and frame stores, and maintaining a mapping C from function names to 
the bodies of the function definitions, and a mapping 8 of external function names to 
the external implementations, the operational semantics of expressions is defined by the 
following rules: 
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C G Int OSICONST 



s\ h\ C, £ \- c c\ h 

OSIBiNOP 



s;h\C,£\-x binopy s(a;)binop s(j/); h 



OSNIL ^ ^ ^ I r^-r OSVar 



s; h\ £ \- nil -w NULL; /i s\ h\ £ \- z s{z); h 

s{hd) = fhd s(^0 = "^ti ^ dom{h) 



s; h, C, £ \- cons{hd, tl) /i[^.hd := ■Uhd, •^•tl := ■yti] 

s(x) 7^ s; /i; C, h ei f ; /i' 



OSCONS 



, ^ ^ , , , ,7 OSIfTrue 

s; n; L, c r n x then ei else 62 v; n 

s{x) = s; /i; C, £" l- 62 /i' 

s; h; C, £ h if x then ei else 62 v; h' 

s; h; C, £ \- ei vi; hi s[z := vi]; hi; C, £ \- 62 v; h' 

s; h; C, £ \- let z = ei '\n 62 ^ v; h' 

s{l) = NULL s; h; C, £ \- ei v; h' 



OSLet 



7 OSMatch-Nil 



s; h; C, £ \- match I with | nil =^ ei v; h' 

I COns(/lC?, tl) 62 

/i.s(l).hd = vi^d h.s{l).tl = Vti 

s[hd := ■Uhd) '■= Uti]', h, C, £ \- 62 v; h' 

— ; — ^ ^ , — . , , ., 77 OSMatch-Cons 

s; /i; C, c h nnatch t with | ml ei -w ti; h 

I cons(/ic?, iZ) =^ 62 

s; h; C[f := {{zi, ...,Zn)x ei)], £ \- 62 v; h' 
FV{ei) C {zi, ...,zn} 

— , r c u \ ^( 77 ^ '■ U OSLetFun 

s; h; C, t r lettun j{zi, . . . , Zn) = e\ m 62 v; h 

S{zi) =Vi ... s{Zn) = Vn C{f) = {z[, ...,z'jxef 

[z[ := vi,...,z'n := Vn]; h; C, £ h ej v; h' 

FV{ef)C{z[,...,z'J 

, ^ ^ , ^ 77 OSFunApp 

s; h; C, £ t f{zi, . . . v; h 

The soundness statement is defined by means of the fohowing two predicates. One 
indicates if a program value is meaningful with respect to a certain heap and a ground 
type. The other does the same for sets of values and types, taken from a frame store and a 
ground context T*, respectively: 

Valid^a\{v,T',h) = 3^1 v |=^. w] 

Validstore{vars,T*,s,h) = "^zevarsi Valid^3\{s{z),T'{z),h) ] 
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Let a valuation e map size variables to concrete (natural) sizes and an instantiation r/ 
map type variables to ground types: 

Valuation e : SizeVar Z 
Instantiation tj : TypeVar r* 

When applied to a type, context, or size equation, valuations (and instantiations) map 
all variables occurring in it to their valuation (or instantiation) images. 
Now, stating the soundness theorem is straightforward: 

Theorem 3.1 (Soundness). Let s; h; [], [] h e v; h' and all functions called in e be 
defined in it via the let-fun construct. Then for any context T, signature S and type r such 
that True; F hx; e : r zs derivable in the type system and for any size valuation e and type 
instantiation r], it holds that if the store is meaningful w.r.t. the context ri{e{T)) then the 
output value is meaningful w.r.t the type ??(e(r)).- 

yr,,,[VaUdstore{FV{e),rj{e{r)),s,h) =^ VaUd,,^{v,7]{eiT)), h') ] 

The theorem follows from the following general statement: 

Lemma 3.2 (Soundness). For any s, h, C, e, v, h' , a set of equations D, a context T, a 
signature S, a type r, a size valuation e and a type instantiation rj such that 

• s; /i; C, [] h e ~^ v; h' , 

• D] V e : T is derivable in the type system and all functions called in e are 
declared via letfun, 

one has 

V^,e[e(L») A Valid,,ore{FV{e),i^{e{T)),s,h) =^ Valid,,\{v,r,{e{T)),h') ] 

The proof is done by induction on the size of the derivation tree for the operational- 
semantics judgement. For the LET-rule it relies on benign sharing [HofJostOS] of data 
structures. With benign sharing, shared heap structures to be used in the let-body are 
not changed by the let-binding expression of let. To formalize the notion of benign sharing 
we introduce a function footprint TZ : Heap x Val — > Vi^Loc), which computes the set of 
locations accessible in a given heap from a given value: 

n{h, c) =0 
n{h, NULL) = 

0, if £^ dom{h) 

{1} U Tl{h\dom{h)\{i}^ h.e.hd) U TZih] domih)\{e} , h.t.tl), if i £ dom{h) 
where f\x denotes the restriction of a (partial) map / to a set X. 

We extend TZ to stores by 7?.(/i, s) = UzGdom(s) ''^(^' ■*(-^))- So, the operational- 
semantics let-rule with benign sharing looks as follows: 

s; /i; C, £^ h ei ~^ vi; hi 

s[z := vi\\ hi; C, £ h €2 v; h' 

s; h; C, £ H let z = ei in 62 v; h' 
This semantic condition is not statically typable in general, however, there are type 
systems that approximate it, e.g. linear typing and uniqueness typing [BarSm96] . Since in 



7^(/l, 
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our language we have neither destructive pattern matching nor assignments, benign sharing 
is guaranteed. 

Proof. Let everywhere below s; h; C H e v; h' denote the operational-semantics 
judgement s; h; C, [] \- e v; h' with the empty external closure. 

In the proof we will use a few technical lemmata about heaps and model relations. They 
are intuitively clear statements like "extending a heap does not change a model relation", 
so we do not prove them in the main part of the paper. The interested reader may find the 
technical proofs in the appendix. 

For the sake of convenience we will denote r/(e(T)) via r^^, ^(e(r)) via F^^ and e(-C') via 

We prove the statement by induction on the height of the derivation tree for the 
operational-semantics judgement. Given s; h; C h e v; h' fix some F, S, and r, 
such that D; T e : r. Fix a valuation e € FV{T) U FV{t) Z, a type instantiation 
rj G FV{r) U FV{t) r', such that A and ValidstoreiFV{e),rr,e,s,h) hold. We must 
show that Validya\{v,Tne, h') holds. 

OSIConst: In this case v = c for some constant c and r = Int. Then, by the 

definition we have c \=in^ c and Validya\{v, Int, h'). 
OSNull: In this case v = NULL and r = Lo(t') for some r'. Then, by the definition 
we have NULL , , [] . 

OSVar: From t = t' and it follows that r^^ = r^^. From this and 

Validstore{FV{z),T\j{z : T\,,h,s) 

it follows that 



Valid^3\{s{z),Tr,e-, h) 

OSCons: In this case e = corts{hd, tl), t = Lp(t'), {hd : r', tl : Lp/(r')} C F for some 
hd, tl, p' and r'. Since Validstore{FV{e),Tr^^,s,h) there exist it^hd and f^ti such 
that s(hd) \=^, Whd and s(tl) \=^. , ■Wx\- From the operational semantics 
judgement we have that v = i for some location i ^ dom{h), and h' = h[l.hd := 
s{hd), Itl := Therefore, /I'.^.hd ^^j^^ -Whd and /I'.^.tl ^j^^ ,(r'))„E ^^ti hold 

as well. It is easy to see that h = h'\j,om{h')\{£}- 
Thus, 

I,/ /) T- J I ^'\dom(h')\{n 

h'.i.hd \=^, Wi,d 



h 



This and Dei which implies Pe = {p' + l)e gives £ \='^^_ tHhd Wti and thus 

Valid^s\{i,Tne, h'). 

OSIfTrue: In this case e = if x then ei else 62 for some ei, 62, and x. Know- 
ing that D; T ei : r we apply the induction hypothesis to the derivation of 
s; /i; C h ei v; /i', with the same 77, e to obtain Validstore{FV{ei),Vne-,s,x) =^ 
Valid^a\{v,Tfje,h'). From FV{ei) C FV{e), Validstore{FV{e),Tr^t,, s,x), and lemma 
16.71 it follows that Valid^a\{v,Trj^, h'). 

OSIfFalse: is similar to the true-branch. 
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OSLetFun: The result follows from the induction hypothesis for 

s; h; C[f := {z x ei)] \- 62 v; h' , 

with D; T hs 62 : r and the same r], e, store s and heap h. 
OSLet: In this case e = \et z = ei in 62 for some z, ei, and 62 and we have s; h; C h 
ei vi; hi and s[z := vi]; hi; C h 62 v; h' for some vi and hi. We know 
that D; T ei : t' , z ^ T and Z); T,z : t' hs 62 : r for some r'. Applying 
the induction hypothesis to the first branch gives Validstore{FV{ei),Tjj^,s,h) 
VaM^^i{vi,T'^„hi). Since FV{ei) C F7(ei) U (FF(e2) \ {z}) = FV{e) and 

Vaii(istore(i^^(e), r^e, s, /i) 

we have from lemma [6^71 that Validstore{FV i&i), ^ r^e, s,h) holds and hence we have 
Valid^a\{vi,T'^^, hi). 
Now apply the induction hypothesis to the second branch to get 

Validstore{FV{e2),Tr^^U {z:t'^},s[z := vi],hi) =^ Valid^a\{v,Trje, h'). 

Now we will show that the l.h.s. of the implication holds. Fix some z' € FV{e2). 
If z' = z, then Valid.ja\{vi,T'^^,hi) implies Validya\{s[z := vi]{z),T'^^,hi). If z' ^ z, 
then s[z := vi\{z') = s{z'). Because we know that sharing is benign, /i|7^(/i^ s(z')) = 
^il7^(/i, s(z'))' ^PPlyiiig lemma [631 and then 16.71 we have that s(z') j-^,^ Wz' im- 
plies s(z') |=p^ w^/ implies ^[z := vi]{z') \=^^ ty^/ and thus Validya\{s[z := 
vi]{z'),Tr,e{z'),hi). Hence, Validstore{FV {€2) ,T \J {z : t'^^} , s[z := vi],hi). There- 
fore, Valid~ja\{v,Tr^e,h'). 

OSMatch-Nil: In this case e = match / with | nil =^ ei | cons{hd, tl) =^ 62 for some 
/, hd, tl, ei, and 62- The typing context has the form F = F' U {/ : Lp(T')} for some 
F', t' , p. The operational-semantics derivation gives s{l) = NULL, hence validity for 
s{l) gives /: Lo(t') and thus e{p) = 0. From the typing derivation for D; F e:r 
we then know that p = 0, D; T' \—£ ei :t. Applying the induction hypothesis, with 
p = A then yields Validstore{FV{ei),T'^^,s,h) =^ Valid~ja\{v,Tr^^,h'). From 
FV{ei) C FF(e), VaZidstore(i^^(e), F^,, s, /i), e{p) = OA A and lemma [O it follows 
that Validya\{v,Tne-,h'). 

OSMatch-Cons: In this case e = match / with | nil =^ ei | cons(/id, iZ) =^ 62 for some 
I, hd, tl, ei, 62- The typing context has the form F = F' U {/ : Lp(r')} for some F', 
r', p. From the operational semantics we know that h.s{l).hd = ujid and h.s{l).Vti 
for some Uhd and Vti - that is s{l) 7^ NULL - hence, due to validity of s{l), we have 
I : Lp(r') for some r' and e{p) > 1. From the typing derivation of e we obtain that 
D; F', I : Lp(r'), hd : r', tl : Lp_i(T') hs 62 : r Applying the induction hypothesis 



yields 

Validstore{FV {62 



T' U 



hd := Uhd, 
tl := Vti 



.h) 



U{/:(Lp(r')),JU 
U{hd:T'^JU 

U{i/:Le(r')}r,e} 

^ Validy^^{v,Tr,e,h'). 

Show that the l.h.s. of the implication holds. From Validstore{FV{e),rrje, s,h), 
iFV{e2) \ {hd, tl}) C FV{e), and lemmaEZlwe obtain 

Validstore{FV{e2) \ {hd, tl},r^„s,h) 
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Due to hd, tl dom{s) we can apply lemma WM and get 

Valid store{FV {€2) \ {hd, tl},T^,s[hd := Uhd, tl := i;ti],/i) 

From the validity s{l) \=^^_ i^hd Wti, and obvious eij) — 1) = e{p) — 1 the 

validity of tihd and -Uti follows: Uhd |=r;;, ^t'hd, "Vti \=\\_^_^{r'))r,e 

Now Va/idstore(^l^(e2),r^e U {hd : T',tl : Lp_i(r')}^e, := tihd, := ■yti],/i) 
and, hence, 

Validya\{v,Tr,e, h'). 

OSFunApp: We want to apply the induction assumption to 
[z[ := vi, . . . , z'^ := Vn]; h; C h e/ v; h' . 

Let = T^' X . . . X T ° ^ r', the types t° of the formal parameters be 

L„^^(. . . L„.^ (oj) . . .) respectively, and the types T{z.i) of the actual parameters Zi 
be Lp.j (. . . Lp.^ (toJ . . .)) where 1 < i < n. According to the typing rule D \- t = 
T'[...ai ■=Ta,...] [...riij :=pij...]. 

Since all called in e functions are defined via letfun, there must be a node in the 
derivation tree with True, z[ : r{', . . . , z'^ : t° ef : t'. 

We take ij' and e', such that 

• ri'{ai) = rj{Ta,), 

• e'{nij) = e{pij). 

Thus, r(zi)^, = (T°)^'e', since 

(T°),,-e' = U'(n,i)(- • ■ U/(„^^^)(?7'(a,)) . . .) = U(p,i)(- • • U(p^^^)(77(TaJ . . .) = (r(Zj))^e 

True ("no conditions") holds trivially on e'. From the induction assumption we 
have 

Validstor^{{z[, ...<), {z[ : r°^,^,, . . . , 4 : ^,^,), [z[ := vi, . . . , z'^ := /i) 

^ Validsj^\(y,T'^,^,,h!) 

Show that the l.h.s. holds. From Va/i(istore(-^^^(e), F^^, s, /i) we have validity of 
the values of the actual parameters: Vi ^-^ -j Wi for some tfj, where \ <i <k. 
Since r^e(zj) = {T°)rj'e', the left-hand side of the implication holds, and one obtains 
Validya\{v,Tl^,^,,h'). 

Now, implies Trje = t'[. . . ai := Tq,, ...][... riij := pij . . Then from the con- 
struction for rj' and e' it follows t'[. . . Oi := Tq. ...][... riij '■= Pij ■ ■ -jr^e = t'[. . . Oi := 

7]{TaJ ...][... Uij := e{p^j) . . .] = t'^,^, 

Thus, we have Validva\{v,Tr^e, h'). 

□ 



3.5. Completeness of the type system. Recall, that the system we consider is con- 
stituted from zero- and first-order types, typing rules, and Peano arithmetic extended to 
rationals. 

The system is not complete in the class of shapely function definitions: there are shapely 
functions for which shapeliness may not be proved by means of the typing rules and the 
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arithmetic. In other words, their annotated type cannot be checked by the system. For 
instance consider the following expression e: 

let / = f{zi, Zk)\n 

let X = length(/) in if x then cons(l,nil) else nil 

where length (x) returns the length of list x. Let pf{ni, . . . , Uk) denote the polynomial size 
dependency for the shapely function definition /. If / never outputs an empty list, then the 
expression e defines a shapely function, with a polynomial size dependency p(ni, . . . , n^) = 
1. Otherwise p(ni,..., rifc) = when / outputs nil. Suppose, there exists a procedure, 
that for any instantiation of the expression with /, produces its shapely type, when it is 
shapely, or rejects it otherwise. Then this procedure is capable to solve 10th Hilbert problem: 
whether there exists a general procedure that given a polynomial with integer coefficients 
decides if this polynomial has natural roots or notH Matiyasevich |Mat91j has shown that 
such a procedure does not exist. A similar problem is connected with match-construct. 

We study constructions like above in more detail in section 14.21 devoted to decidability 
of type-checking. In particular, in lemma [4?T] we show, that for any integer polynomial q 
there is a shapely function definition / such that its size polynomial pf{ni, . . . , re^) is equal 
to (7^(ni, . . . , nfc) and thus pj has roots if and only if q has roots. 

In fact, this example shows that not only our system, but any system using integer 
arithmetic, is not complete in the class of shapely function definitions. 

4. Type Checking 

Because for every syntactic construction there is only one typing rule that is applicable, 
type checking is straightforward. The procedure parses a given function body and reduces 
to proving equations for rational polynomials. Consider some examples. 

4.1. Examples. 

4.1.1. Cartesian product. In the introduction, the Cartesian product was implemented using 
a "sugared" syntax. Here, we present the cprod function in the language defined in section 

m 

letfun cprod(/i, I2) = match li with | nil =^ nil 

I cons{hd, tl) =^ let I' = pairs(/jd, I2) 
in let /" = cprod(iZ, y) 
in append(/', /") 

in . . . 

Functions pairs and append are assumed to be defined in the core syntax of the language 
as well. Hence, E contains the following types: 

i;(append) = U(a) x L„(q) U+m(Q) 

i;(pairs) = a X \-m{a) L„(L2(a)) 

S(cprod) = U(a) x L„(a) -> \-n*m{^2{a)) 
To type-check cprod : L„(q) x Lm(a) L„=fm(L2(a)) means to check: 

The original formulation is about integer roots. However, both versions are equivalent and logicians 
consider natural roots. 
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Prove: /i : L„(a), ^2 : Lm(a) l-s Cc prod • ^n*m (L2(a)), 
where ecprod is the function body. This is demanded by the first branch of the LETFuN-rule. 
Applying the MATCH-rule branches the proof: 

Nil: n = 0;/2:Lm(a) hs nil : U*m(L2(a)) 

CONS: hd:a, /i:L„(a), tl:Ln-i{a), l2-\-m{oi) hs 

let /' = pa\rs{hd, I2) 1 

in let /" = cprod(iZ,/2) > ■.\-n*m{\-2{oi)) 

in append(/', I") \ 

Applying the NiL-rule to the NiL-branch gives n = Q\-n*m = {), which is trivially true. 
The CONS-branch is proved by applying the LET-rule twice. This results in three proof 
obligations: 

Bind-l': hd:a, /2:Lm(«) Hs pairs(/ic/, /2) :''"i 
BiND-L": tl:ln-i{a), h-.lmia) h ^ cprod {tl, h) ■T2 
Body: I' :ti,1" :t2 He append(/', /") : U*m(Q) 

From the apphcations of the FuNApp-rule to Bind-l' and Bind-l" it follows that ri should 
be Lm(L2(a)) and T2 should be L(„_i)^„(L2(a)). Lastly, applying the FuNApp-rule to Body 
yields the proof obligation \-n*m = m + {n — l)*m, which is true in the axiomatics. 

4.1.2. Example with negative coefficients. In contrast to the system presented by Vasconce- 
los and Hammond |VasHam03j . where only subtraction of constants are allowed, our system 
allows negative coefficients in size expressions. Of course, this is only a valid size expres- 
sion (yielded by a total function) if the polynomial maps naturals into naturals. Here, we 
show an example where this is the case. Given two lists, the function "subtracts" elements 
from lists simultaneously, till one of the lists is empty. Then, the Cartesian product of the 
remaining list with itself is returned: 
sqdifF (/i, I2) = 

match li with | nil =^ cprod(/2, h) 

I cons{hd, tl) =^ match I2 with | nil ^ cprod(/i, li) 

I cons(/id', tl') sqdifF (tl, tl') 

It can be checked that sqdiff has type L„(a) x Lm(a) — > ^{n2+m2-2*n*m)i^2i(^))- 

4.2. Type checking in general is undecidable (even for total function definitions). 

In the examples above, type checking ends up with a set of entailments like n = h n*m = 
or \- n*m = m + m*{n — l) that have to hold. However, we show that there is no procedure 
to check all possible entailments that may arise. To make type checking decidable, we 
formulate a syntactical condition on the structure of a program expression that ensures 
the entailments have a trivial form. The condition is as follows: given a function body, 
allow pattern-matching only on the function parameters or variables bound to them by other 
pattern-matchings. Thus, we prohibit expressions like 
let / = fo{xi, . . . , Xk) in match / with | nil =^ ei 

I cons(/id, tl) =^ 62 

Pattern-matching like 
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match / with | nil ei 

I cons(/id, tl) =^ match tl with | nil =^ e[ 

I COns(/id', tl') =^ 62 

is allowed. Below we explain the reason for this restriction. 

We show that the existence of a procedure that checks all possible entailments at the 
end of type checking is reduced to Hilbert's tenth problem. Type checking is reducible to a 
procedure for checking if arbitrary size polynomials of shapely functions have natural roots. 
It turns out that the latter is the same as finding natural roots of integer polynomials. 

Consider the following expression en with free variables li, . . . , Ik'- 

let / = /o(/i, . . . , Ik) in match / with [ nil => . . . , Ik) 

cons(M, tl) => /2(/i, Ik) 
We check if it has the type L„^(ai) x ... x L„j.(afc) — > Lp(„^^ „j.)(a), given that fi : 
Lni(«i) X ... X Ln^{ak) — > Lp^(„^ ,,,^„j,)(a), with i = 0, 1, 2. Then at the end of the type 
checking procedure we obtain the entailment: 

Poini, . . . , nfc) = h pi(ni, . . . , nfc) = p{ni, n^). 

Even if p and pi are not equal, say pi = and p = 1, it does not mean that type checking 
fails; it might not be possible to enter the "bad" nil-branch. To check if the nil-branch is 
entered means to check if po = has a solution in natural numbers. Thus, a type-checker 
for any size polynomial po must be able to decide if it has natural roots or not. 

Checking if any size polynomial has roots in natural numbers, is as difficult as checking 
whether an arbitrary polynomial has roots or not. First, we prove the following lemma. 

Lemma 4.1. For any polynomial q there is a total shapely function definition f such that 
its size dependency Pf{ni, . . . , Uk) is equal to q^{ni, . . . , n^). 

Proof. First, note that any polynomial q may be presented as the difference qi — q2 of two 
polynomials with non-negative coefficient^. So, = 92)^ is a size polynomial, obtained 
by superposition of sqdifF with qi and q2. Here qi and (72 are size polynomials with positive 
coefficients for corresponding compositions of append and copyfirst : L„(q) x Lm(a) — ^ 
Ln*m(o) (see subsection 15. ip functions. □ 

Summing up the constructions above we obtain the following statement: 

Lemma 4.2. If there exists a type-checker that for any function definition and its type an- 
notation is able to accept or reject the annotated type correctly, then there exists a procedure 
that for any integer polynomial q{ni, . . . , n^) decides if it has natural roots or not. 

Proof. Suppose that such type checker exists. Consider the expression ch above with /o, 
fii f2 defined as follows. Using lemma [^Tj construct a function definition /o that has a 
size dependency (?^(ni, . . . , n^). Now let /i be defined by the expression nil and let /2 be 
defined by cons(l, nil). 

The type checker accepts en with the type annotation p = 1 if and only if the nil-branch 
is not entered, that is if and only if q'^{ni, . . . , n^) has no roots. Trivially, q'^{ni, . . . , Uk) 
has roots if and only if q{ni, . . . , n^) does. □ 

% q = I]ai^,...^i^xY . . .xl^ , then gi = T.^^^^^ ^^^>oaii,...,ikXY ■ ■ ■ , and q^ = 
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So, existence of a general type-checker reduces to solving Hilbert's tenth problem. 
Hence, type checking is undecidable. 

We can show this in a more constructive way using the stronger form of the undecid- 
ability of Hilbert's tenth problem: for any type-checking procedure X one can construct 
a program expression, for which X fails to give the correct answer. We will use the re- 
sult of Matiyasevich who has proved the following: there is a one-parameter Diophantine 
equation W{a, ni, . . . , n^) = and an algorithm which for given algorithm A produces a 
number a^^ such that A fails to give the correct answer for the question whether equation 
Ty(a_4, ni, . . . , rifc) = has a solution in (ni, . . . , n^). So, if in the example above one takes 
the function /o such that its size polynomial po is the square of the W^aj, ni, . . . , n^) and 
p = 1, pi = 0, then the type checker X fails to give the correct answer for en- 

An anonymous reviewer pointed out that the construction from lemma HTT] demonstrates 
a problem with real arithmetic, when it is used to check numerical entailments, generated 
by the type checker. Suppose we want to omit the syntactic restriction and type check the 
expression en where the size dependency for /o is po{n) = (n^ — 2)^. A real-arithmetic- 
based version of the checker rejects en, since there is a real root for pQ and in this abstract 
interpretation the nil-branch with 1 = must be considered. In fact, the expression is 
well- typed with annotation p = 1, since there is no natural roots for pQ and the nil-branch 
is never entered. 

For checking a particular expression it is sufficient to solve the corresponding sets of 
Diophantine equations. Type checking depends on decidability of Diophantine equations 
from D in any entailment D \- p = p' , where p is not equal to p' in general (but might be 
if the equations from D hold). If we have a solution for D we can substitute this solution 
in p and p'. If a solution over variables ni, . . . ,nm, nm+i, . . . , is a set of equations 
n-i = qi{nm+i, ■ ■ ■ , rik) where 1 < i < m, then the expressions for rij can be substituted into 
p = p' and one trivially checks the equality of the two polynomials over n-m+i, • • • , 'w- 
the axiomatics of the rational field. Recall that two polynomials are equal if and only if the 
coefficient at monomials with the same degrees of variables are equal. 

4.3. Syntactical condition for decidability. The simplest way to ensure decidability is 
to require that all equations in D have the form n = c, where c is a constant. This would 
in particular exclude the example en from above. As we will see below, this requirement 
can be fulfilled by imposing the syntactical condition for program expressions, prohibiting 
pattern matching on variables other than function parameters and bounded to them by other 
pattern matchings. 

It is easy to see that any function body that satisfies the syntactic condition may be 
encoded in the language defined by the refined grammar where the let-construct in e is 
replaced by let x = 6 in Cnomatch- 



Basic b 
Expr e 



c I X binop y I nil I cons(z, /) | f{zi, . . . , z^) 
b 

I let Z = 6 in Cnomatch 

I if X then ci else 62 
I match I with 1 nil =^ ei 



I cons{hd, tl) =^ 62 



letfun f{zi, . . . ,2:„) = ei in 62 
letextern /(zi, . . . , Zn) in ei 
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with 

f-nomatch ■ ^ 

I let z = 6 in e'„„„^j^;, 
I if X then e^^^^j^^ else e'^^^^^i^.^ 
I letfun f{zi,...,Zn) =e in e'„4^^ 
I letextern in e'„j,;, 

The grammar is more restrictive than the syntactic condition. However, any function body 
that satisfies the condition may be encoded in this grammar. For instance, an expression 
let /' = /o(-z) in match / with | nil =^ fi{l, I') 

I cons{hd, tl) =^ f2{l, I') 

and the expression 

match I with | nil =^ let /' = fo{z) in fi{l, I') 

I cons(M, tl) let I' = fo{z) in /2(/, /') 

define the same map of hsts. 

For this reason we cah the refined grammar the "no-let-before-match" grammar, and 
roughly refer to the syntactic conditions as to the "no-let-before-match" condition. The 
demo version of the type checker, accessible from www.aha.cs.ru.nl, uses the "no-let- 
before-match" grammar. 

Theorem 4.3. Let a program expression e satisfy the refined grammar, and let us check 
the judgement True; xi : rf, . . . , : e : r. Then, at the end of the type- checking 

procedure one has to check entailments of the form 
D \- p' = p, 

where D is a set of equations of the form n — c = for some n G FVS{Tf x . . . x r^) and 
constant c and p, p' are polynomials in FVS{ti x . . . x r^). 

Sketch of the proof. Consider a path in the type checking tree which ends up with some 
D h p' = p and let an equation q = belongs to D. It means that in the path there is the 
nil-branch of the pattern matching for some I : Lg(r). 

By induction on the length of the path, one can show that q = n — c for some size 
variable n € FVS{ti x ... x r^) and some constant c. This uses the fact that follows from 
the syntactic condition: the program variables which are not free in a program expression 
and pattern-matched may be introduced only by another pattern-matching, but not a let- 
binding. The technical report [ShvKvE07aj contains the full proof. 

Of course, the syntactical condition of the theorem may be relaxed. One may allow 
expressions with pattern-matching in a let-body, assuming that functions that appear in 
let-bindings, like /o, give rise to solvable Diophantine equations. For instance, when po is a 
linear function, one of the variables is expressed via the others and constants and substituted 
into pi = p. Another case when it is easy to check if there are natural roots for po = or 
not (and find them if "yes" ) is when pQ is a 1-variable polynomial. We leave relaxations of 
the condition for future work. 

5. Type Inference 

Here we discuss type inference under the syntactical condition defined in the previous 
section. Since we consider shapely functions, there is a way to reduce type inference to type- 
checking using the well-known fact that a finite polynomial is defined by a finite number 
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of points. The procedure presented in this section was sketched by us in [ShvKvE07bj and 
given in details and evaluated with a series of measurements in |vKShvE07j . 

For each size dependency from the output type of a given function definition one assumes 
that it is a polynomial and one guesses its degree. Then, to obtain the coefficients of the 
polynomial of this degree, the function definition is evaluated (preferably in a sand-box) 
as many times as the number of coefficients the polynomial has. This finite number of 
input-output size pairs defines a system of linear equations, where the unknowns are the 
coefhcients of the polynomial. When the sizes of the input data satisfy some criteria known 
from polynomial interpolation theory |Chui871 ILor92j (see the subsections below for more 
detail), the system has a unique solution. Input sizes that satisfy these criteria, which are 
nontrivial for multivariate polynomials, can be determined algorithmically. 

In this way we find using interpolation theory the interpolating polynomial for the size 
dependency. If the size dependency is a polynomial function and the hypothesis about its 
degree is correct, then it coincides with its interpolating polynomial. To check if this is the 
case, the interpolating polynomial is given to the type checking procedure. If it passes, it 
is correct. Otherwise, one repeats the procedure for a higher degree of the size dependency. 
Starting with degree zercH, the method iteratively constructs the interpolating polynomials 
until the correct polynomial is found. It does not terminate when 

(1) the function under consideration does not terminate on test data, 

(2) the function is non-shapely, 

(3) the function is shapely but the type-checker rejects it due to the type-system's incom- 
pleteness (see section 13. 5p . 

The method infers polynomial size dependencies for a nontrivial class of shapely func- 
tions. For instance, standard type inference for the underlying type system yields that the 
function cprod has the underlying type \-{a) x L(a;) — > L(L(q!)). Adding size annotations 
with unknown output polynomials gives cprod : L„(a) x Lm(a) — > Lpj(Lp2(a)). We assume 
pi is quadratic so we have to compute the coefficients in its presentation: 

Pi{n, m) = ao,o + ao,in + aiflm + ai^inm + ao,2"-^ + a2,o"i^ 

Running the function cprod on six pairs of lists of length 0, 1, 2 yields: 



n 


m 


^1 


h 


cprod (/i, /2) 


Pi{n, m) 


P2{n,m) 








[] 


D 


[] 





? 


1 





[0] 


D 


[] 





? 





1 





[0] 


[] 





? 


1 


1 


[0] 


[1] 


[[0, 1]] 


1 


2 


2 


1 


[0,1] 


[2] 


[[0,2], [1,2]] 


2 


2 


1 


2 


[0] 


[1,2] 


[[0,1], [0,2]] 


2 


2 



The first three rows of the table are examples of incomplete measurements, where the size of 
the inner list is unknown, because the outer list is empty. The last three rows are complete 
measurements. 



On can also start with a higher degree. If the degree of the solution happens to be lower than the initial 
degree, the solution will still be found since the found coefficients will be zero at the right places. 
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The test table defines the foUowing hnear system for the outer output hst: 

ao,o = 
oo,o + «o,i + ao,2 = 

00,0 + «1,0 + 02,0 = 

00,0 + oo,i + ai,o + oo,2 + oi,i + a2,o = 1 
oo,o + 2ao,i + oi,o + 4ao,2 + 2ai,i + a2,o = 2 
oo,o + oo,i + 2aifl + ao,2 + 2ai,i + 4a2,o = 2 

The unique solution is ai.i = 1 and the rest of coefficients are zero. To verify whether 
the interpolation is indeed the size polynomial, one checks if cprod : L„(a) x Lm(a) — > 
Ln*m(L2(a))- This is the case, as was shown in section [4Tl 

As an alternative way of finding the coefficients, one could try to solve directly the 
(recurrence) equations defined by entailments D h p = p' that arise during construction of 
the type-inference tree for a function definition. As we will see in subsection 15. H it amounts 
to solving systems that are nonlinear in general. By combining testing with type checking 
we bypass nonlinear systems [vKShvEOT] . 

However, test-based inference has a drawback: it is not fully static. The procedure has 
dynamic aspects, since it is done not only in the underlying logic of the type system (i.e. 
Peano arithmetic), but it involves executing the interpreter of the programming language. 
A consequence of it may be that inference for function definitions with external calls is 
based on the semantics of another language. When the size dependency of the external 
function is known, this can be avoided by 

• modifying the interpreter of our language in such a way, that in the case of an external 
call it creates a "fake" object of the right size (the size of the result of "this" external 
call), or 

• leaving the interpreter in intact, and creating for any external function from its sized type 
a "fake" function body in our language with the same size dependency as the external 
function. 

From an engineering point of view, the advantage of the second approach is that a standard 
interpreter can be used directly. We discuss the mechanism of generating "fake" functions 
inEEl 

Ideally, one would like to remove all dynamic aspects from type inference. In our current 
research towards fully static inference we consider a modification of the method where 
instead of the interpreter of the programming language one uses an abstract interpreter in 
the form of a term-rewriting system of which the rewriting rules will correspond to equations 
in Peano arithmetic. For instance, progression is interpreted as p{n) — > n+p{n — 1) together 
with p{0) 0. We have presented preliminary results in the technical report [ShvE0T"8] . 

5.1. Motivation for test-based inference. Consider, as an example of the complexity 
of systems generated by conventional type inference, the system for a function definition 
nonlinear with auxiliary functions: 

copy: ln{a) ~^ L„(a) 

copyfirst: L„^(a) x L„2(a) ~* L„^*„2(q;) 

sqdiffaux: L„,(a) x L„,(a) ^ L„2_^„2_2*„i*„2 (a) 
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where (in the sugared syntajH) 

letfun copy(/) = match / with | nil =^ nil 

I cons{hd,tl) =^ cons{hd , copy (tl)) 
in letfun copyfirst(/i, I2) = match I2 with | nil =^ nil 

I cons(/id, tl) =^ li ++copyfirst(/i, tl) 
in letfun sqdiffaux(/i, ^2) = match li with | nil =^ copyfirst(/2, ^2) 

I cons{hd, tl) =^ 
match I2 with | nil =^ copyfirst(/i, li) 

I con5{hd', tl') =^ sqdiffaux(i/, tl') 
in letfun nonlinear(/i, I2) = match li with | nil =^ copyfirst(copyfirst(/2, ^2)1 [1 • • - 4]) 

I cons{hd, tl) 

match I2 with | nil =^ copyfirst(copyfirst(/i, h), [1 . . .4]) 

I cons(/id', tl') =^ 
sqdifFaux(nonlinear(iZ, 12)++ hi nonlinear(/i, tl')++l2) 
++ copyfirst(copyfirst(/i, I2), [I . . . 17]) 

in . . . 

The inference procedure ends up with the following recurrence system: 
p(0,n2) = 4n2 

p(ni,0) = 4n2 (1) 
p{ni,n2) = - 1,712) + ni - (p(ni,n2 - 1) + n2))^ + 17nin2 

The problem is to find p, assuming, say, that it is quadratic. 

A standard way of solving this problem uses the method of unknown coefficients. A 
polynomial to find, p{ni,n2), is presented in the form ao,o + ao,i"i + 01,0^^2 + CLi^inin2 + 
00,2"-! + ^2,0^2 substituted into (1). Equating the corresponding coefficients of the 
polynomials from the left and right sides of the equations from (1) gives 



ao,o 


= 0, ai,o 


= 0, a2,o = 4, 


«o,i = 0, ao,2 = 4 




ao,2 


= - 


2ao,2 + 1)2 






02,0 


= (2a2,o - 


- ai,i - 1)2 








= 2(ai,i- 


-2ao,2 + l)(2a2 


o-ai,i-l) + 17 




ao,i 


= 2((ai,o 


- ao,i) + (ao,2 - 


- a2,o))(ai,i - 2ao,2 


+ 1) 


ai,o 


= 2((ai,o 


- oo.i) + (00,2 - 


- a2,o))(2a2,o - ai,i 


-1) 


. «0,0 


= ((ai,o - 


- «o,i) + (ao,2 - 


"2,0))=^ 





Substituting the coefficients ao,o = 0, oi^o = 0, 02,0 = 4, ao,i = 0, 00,2 = 4 in the 
remaining equations one obtains the non-linear system 

J - 14ai,i +45 =0 
\ 2a\^ - 27ai,i + 81 = 
The solution of this quadratic system can be found easily. It is a\^\ = 9. 

^Recall, that in the sugared syntax we use f{g{z)) for "let z' — g{z) in f{z')" and, moreover, use [1 . . . c] 
for c-ary application of cons( — ) to nil, so that [1 . . . 3] denotes cons(l, cons(2, cons(3, nil))). We also use 
the infix ++ for append. 
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In general, non-linear systems may be hard to solve. With the testing approach we 
avoid solving nonlinear systems w.r.t. polynomial coefficients aij. Instead, we compute the 
coefficients solving the linear system that is generated after testing. 



5.2. Interpolating a polynomial. A hypothesis for a type is derived automatically by 
fitting a polynomial to the size data, as it was shown in the example cprod. We are looking 
for the polynomial that best approaches the data, i.e., the polynomial interpolation. The 
polynomial interpolation exists and is unique under some conditions on the data, which are 
explored in polynomial interpolation theory [Chui87|, ILor92j . 

For 1-variable interpolation this condition is well-known. A polynomial p{z) of degree 
d with coefficients ai, . . . , a^+i can be written as follows: 

ai + a2Z + . . . + ad+i z'^ = p{z) 

The values of the polynomial function in any pairwise different d + 1 points determine a 
system of linear equations w.r.t. the polynomial coefficients. More specifically, given the set 
of pairs of numbers, where 1 < i < d+ 1, and coefficients ai, ... , a^+i, the set of 
equations can be represented in the following matrix form, where only the aj are unknown: 



/I 
1 



Z2 



"1 



\ 



1 Zd 
Vl Zd+1 



( ai \ 

02 

ad 



( P{zi) \ 

P{Z2) 

P{zd) 
\p{zd+i)J 



^d+1 

The determinant of the left matrix, contains the measurement points, is called a Vander- 
monde determinant. For pairwise different points zi, . . . , z^j^i it is non-zero. This means 
that, as long as the output size is measured for d + 1 different input sizes, there exists a 
unique solution for the system of equations and, thus, a unique interpolating polynomial. 

The condition under which there exists a unique polynomial that interpolates multi- 
variate data is not trivial. We formulate it in the next subsection. Here we introduce the 
necessary definitions. 

Recall that a polynomial of degree d and dimension k (the number of variables) has 
= i^X^) coefficients. Let a set of values fi of a real function / be given. A set = {wi : 
z = 1, . . . , N^} of points in a real /c-dimensional space forms the set of interpolation nodes if 
there is a unique polynomial p{z) = Eo<|j|<dajZ'' with the total degree d with the property 
p{wi) = fi, where 1 < « < A^^^. In this case one says that the polynomial p interpolates the 
function / at the nodes Wi. 

The condition on W , which assures the existence and uniqueness of an interpolating 
polynomial, is geometrical: it describes a configuration, called NCA |Chui87] . in which 
the points from W should be placed in TZ^ . The multivariate Vandermonde determinant 
computed from such points is non-zero. Thus, the corresponding system of linear equations 
w.r.t. the polynomial's coefficients has a unique solution. In the following subsections we 
show how to generate a collection of natural-valued nodes Wi in an NCA configuration. A 
Vandermonde determinant is computed by the same formula in reals and naturals, so the 
system of linear equations based on natural nodes will have a unique (rational) solution. 
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Figure 1: (a) A node configuration that has a unique two-dimensional polynomial interpola- 
tion (b) A more systematic node configuration that has a unique two-dimensional 
polynomial interpolation (c) Incomplete measurements complicate finding a node 
configuration (d) Incomplete measurements for the pairs in the output of cprod. 



5.3. Measuring bivariate polynomials. For a two-dimensional polynomial of degree d, 
the condition on the nodes that guarantees a unique polynomial interpolation is as follows 
|Chui87| : 

Definition 5.1. nodes forming a set W C TZ'^ lie in a 2- dimensional NCA configuration 
if there exist lines 71, ... , 7^+1 in the space TZ'^, such that d + l nodes of W lie on jd+i and 
d nodes of W lie on 7^ \ 7^+1, and finally 1 node of W lies on 71 \ (72 U . . . U 7^+1). 

An example of such a configuration for integers is given in figure [1^. 

Nodes satisfying this condition can be found automatically: if the output type of a 
given function definition is Lpi(. . . \-p^(a) . . .), then for the outermost-list size pi choose a 
triangle of nodes on parallel lines, like in figure [Da. 

An example of the two dimensional case is the cprod function above. As we have seen, 
the procedure of reconstructing the size polynomial pi for the outer list is straightforward. 
However, there is a problem for p2. There are cases in which nodes have no correspond- 
ing output size (the question-marks in the table that refer to incomplete measurements). 
Measurements for p2 may be incomplete, because the size of the inner lists can only be 
determined when there is at least one such a list. Thus, the outer list may not be empty for 
complete measurements. As can be seen in figure [T]l, for cprod output's outer list is empty 
when one of the two input lists is empty. In the next section, we show that, despite this, it 
is always possible to find enough measurements and give an upper bound on the number of 
natural nodes that have to be searched. 

5.4. Handling incomplete measurements. In general, for \-p^{. ■ ■ Lp^(a) . . .) we will not 
find a value for pj at a node if one of the outer polynomials, pi to Pj-i, is zero at that node. 
Thus, the nodes where pi to pj-i are zero should be excluded from the testing process. 
Here, we show that, despite this, it is always possible to find enough nodes using finite 
search. 

First, nested output lists of which the size of the outer list is the constant zero, e.g. 
Lo(Lp2(a'))) need special treatment. If a type-checker rejects annotations for pi = and 
arbitrary p2 then the outer polynomial pi is not a constant zero. (Recall the definition of 
DhT = t'.) 

Now, let the outer polynomial pi{x,y) be not a constant zero. Then there is a finite 
number of lines y = i, which we will call root lines, where pi{x, i) = 0. 
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Lemma 5.2. A polynomial pi{x, y) of degree d that is not constant has at most d root 
lines y = i, such that pi{x, i) = for all x. 

Proof. Suppose there are more than d root lines. Then, it is easy to pick 1, . . . ,d+l nodes 
on d + 1 root Unes. They triviahy are in NCA configuration. With these nodes, at which 
pi{x,y) = 0, the system of hnear equations for the coefficients of pi will have the zero- 
solution, that is, all the coefficients of pi will be zeros. This contradicts the assumption 
that pi is not constant 0. □ 

Using the lemma, we can bound the number of parallel lines y = i and nodes on them 
that have to be searched. Essentially, we are to find a triangle configuration of nodes, like 
on figure [1)3, skipping all crosses, see [It. 

Lemma 5.3. When looking for nodes for a polynomial p2{x,y) that determine a unique 
polynomial interpolation at places where another polynomial pi{x,y) ^ 0, it is sufficient to 
search the lines y = 0, . . . ,y = di + d2 in the square [0, . . . , di + ^2] x [0, . . . , di + 1^2] . 

Proof. For the configuration it is sufficient to have ^2 + 1 lines y = i with at least d2 + 1 
points where pi{x,y) 7^ 0. Due to lemma (5^ there are at most di lines y = i such that 
Pi{x, i) = 0, so at least (i2 + 1 are not root lines for pi. The polynomial j), with 

y = j not a root line, has at most degree di, thus y = j contains at most di nodes (x, j), 
such that pi{x, j) = 0. Otherwise, it would have been constant zero, and thus a root line. 
Hence, this leaves at least ^2 + 1 points on these lines for which pi is not zero. □ 

This straightforwardly generalizes to all nested types Lpj(. . . Lp^(a) . . .) with polynomi- 
als in two variables. If we want to derive the coefficients of pi, searching the square of input 
values [0, . . . , T,^j^^dj] x [0, . . . , T,^j^^dj] suffices, where dj is the degree of pj. Each pj has 

at most dj root lines, so there are at most Ti^jZ}^dj root lines for pi, . . . ,Pi-i. Also, each of 
the Pj can have at most dj zeros on a non root line. Hence, since the length of the search 
interval for pi is Tj'j^^dj + 1, there are always di + 1 values known. 

Eventually, it is enough to search in [0, . . . , T,j^^dj] x [0, . . . , Sj^j^dj]. 

For cprod there are two size expressions to derive, pi for the outer list and p2 for the 
inner lists. Deriving that pi(ni, 71,2) = ni*n2 is no problem. Because pi has roots for ni = 
and for n2 = 0, these nodes should be skipped when measuring p2 (see figure [1]1). 

5.5. Generalizing to k-dimensional polynomials. The generalization of the condition 
on nodes for a unique polynomial interpolation to polynomials in k variables, is a straight- 
forward inductive generalization of the two-dimensional case. In a hyperspace there have to 
be hyperplanes, on each of which nodes lie that satisfy the condition in the k — 1 dimensional 
case. A hyperplane Kj may be viewed as a set in which test points for a polynomial of 
k — 1 variables of the degree j lie. There must be = — Nj_^ such points. The 

condition on the nodes is defined by: 

Definition 5.4. The NCA configuration for k variables (k-dimensional space) is defined 
inductively on k |Chui87j . Let {zi, . . . , Zj^k} be a set of distinct points in 7^*^ such that 

d 

there exist d + 1 hyperplanes Kj , < j < d with 

z^k ...,zj^k G {Kf^^ U...UK^},ioT < i < d - 1 

3 — 1 3 J J • 



POLYNOMIAL SIZE ANALYSIS OF FIRST-ORDER SHAPELY FUNCTIONS 



27 



and each of set of points Zjqk . . . , Zj^k , < j < d, considered as points in TZ'' ^ satisfies 
NCA in 7^'^-l. 

For instance, given d = 2 and /c = 3 (i.e. interpolating by polynomials of 3 variables of 
degree 2), the following collection of N2 = (^3^^) = 10 nodes, placed on parallel planes in 
TZ^ , satisfies an NCA configuration: 

(1) on the plane x = take the "triangle" of 7V| = 6 points (0, 0, 0), (0, 0, 1), (0, 0, 2), 
(0, 1, 0), (0, 1, 1), (0, 2, 0), 

(2) on the plane x = 1 take the "triangle" of Nl = 3 points (1, 1, 0), (1, 0, 1), (1, 1, 1), 

(3) on the plane x = 2 take the point (2, 0, 0). 

Here the nodes on each of the planes lie in the 2-dimensional NCA configurations con- 
structed for degrees 2, 1 and respectively. 

Similarly to lines in a square in the two-dimensional case, parallel hyperplanes in TZ^ 
have to be searched while generating hypothesis for a nested type. Using a reasoning similar 
to the two-dimensional case one can show that it is always sufficient to search a hypercube 
with sides [0, . . . , Sj^j^dj]. 

5.6. Automatically inferring size-aware types: the procedure. The type checking 
procedure and the size hypothesis generation can be combined to create an inference pro- 
cedure. The procedure starts with assuming a fixed degree. The assumptions is that this 
degree is the maximum degree of all polynomials in the type. If checking rejects the hypoth- 
esis generated for this degree, the degree is increased and the test-check cycle is repeated. 
The procedure is semi-algorithmic: it terminates only when the function is well-typable. 

Recently, we have developed a demonstrator for the inference procedure described in 
[vKShvE07] . It is accessible on www.aha.cs.ru.nl. 

For any shapely program, the underlying type (the type without size annotations) 
can be derived by a standard type inference algorithm |Mil78j . After straightforwardly 
annotating input sizes with size variables and output sizes with size expression variables, 
we have for example 

cprod : Ui(a) x U2(a) Lp^(„^ „2)('-p2(r!.i,n2)(«)) 

To derive the size expressions on the right hand side we use the following procedure. 
First, the maximum degree of the occurring size expressions is assumed, starting with zero. 
Then, a hypothesis is generated for each size expression, from pi to ps- After hypotheses 
have been obtained for all size expressions they are added to the type and this hypothesis 
type is checked using the type checking algorithm. If it is accepted, the type is returned. If 
not, the procedure is repeated for a higher degree d. 

The schema below shows the procedure in pseudo-code. The TrylncreasingDegrees 
function generates (by GetSizeAwareType) and checks (by CheckSizeAwareType) hypothe- 
ses. A size expression is derived by selecting a node configuration (GetNodeConf), running 
the tests for these nodes (RunTests), and deriving the size polynomial from the test results 
{DerivePolynomial) . 
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Function: TryIncreasingDegrees 
Input: a degree d, a function definition f 
Output: the size-aware type of tliat function 

TryIncreasingDegrees (d, f) = 

let type = lNFERUNDERLYINGTYPE(f ) 

atype = ANNOTATEWlTHSlZEVARIABLES(t2/pe) 
VS = GETOUTPUTSlZEVARIABLES(ai?/pe) 

stype = GETSlZEAwARETYPE((i, f , atype, vs, [ ]) 
in if (CHECKSiZEAwARETYPE(siype, f )) then stype 

else TRYlNGREASINGDEGREES((i+i, f) 

Function: GetSizeAwareType 
Input: a degree d, 

a function definition f , 
its annotated type, 
a list of unknown size annotations, 
and the polynomials already derived 
Output: the size-aware type 

of that function if the degree is high enough 
GETSiZEAwARETYPE(d, f , atype, [ ], ps) = 

ANNOTATEWiTHSiZEExPRESSiONS(ai2/pe, ps) // The End 
GETSiZEAwARETYPE((i, f , atype, v.vs, ps) = 
let nodes = GETNODECONF(rf, atype, ps) 
results = RuNTESTS(f , nodes) 

p = DERiVEPOLYNOMiAL(d, V, atype, nodes, results) 
in GETSiZEAwARETYPE(d, f , atype, vs, p:ps) 

If a type is rejected, this can mean two things. First, the assumed degree was too low and 
one of the size expressions has a higher degree. That is why the procedure continues for a 
higher degree. Another possibility is that one of the size expressions is not a polynomial (the 
function definition is not shapely) or that the type cannot be checked due to incompleteness 
of the type system. In that case the procedure will not terminate. If the function is well- 
typable, the procedure will eventually find the correct size-aware type and terminate. 

A collection of examples - function definitions together with size measurements - is 
presented in [vKShvEOT] . 

5.7. Complexity of hypotheses-generating phase. Given a function definition, its un- 
derlying first-order type and a maximal degree of hypothetical polynomials, the complexity 
of its hypothesis-generating phase depends on three parameters: 

• the nestedness s > of the output type which may be either Lp^(. . . Lp^(liit) . . .) or 

Lpi(---Lps («)•••)> 

• the fixed maximal degree d of the polynomials pi, . . . , ps, 

• the number of size variables k defined by the input type of the function. 

To generate hypothesis for pi(ni, . . . , n^) one 
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(1) generates = natural-valued nodes inductively on k; it is done by the definition 
15.41 of NCA configuration for the A;-variable case (note that for A; = 1 it is just the 1- 
dimensional nodes 0, . . . , d). 

(2) generates a collection of concrete inputs with the sizes, defined by the nodes, 

(3) evaluates the function body iV| = (''+'^) times on these inputs, 

(4) solves the system of Nj^ linear equations to obtain coefficients for pi . 
Generating hypotheses for a pj, j > 1, is similar. However, generating the collection 
~ i^f^) nodes is more complicated, since nodes sending some pj/, j' < j, to zero are 

excluded. In the worst case, to find correct nodes, one needs to evaluate a k dimensional 
cube with side [0, . . . , jd], that is to evaluate (to check if it has a zero value) j — 1 polynomials 
in at most {jd + 1)'^ nodes. 

Thus, for each 1 < j < s the complexity is bounded by Cevaipi,...,pj.i + Cevaipj + Cgauss, 
where 

• Cevaipi,...,pj-i = (j — 1) ■ {jd+ 1)'^ evaluations of polynomials, 

• Cevaipj = = Cf^) evaluations of the function definition, 

• Cgauss = 0{N^ ^) is the complexity of Gaussian elimination. 

If the results of evaluations of polynomials on the j-th step are memoised, then alto- 
gether for j = 1, . . . s one needs at most (s — 1) ■ {sd + 1)'^ evaluations of polynomials. 
Thus, the complexity of the hypotheses-generating phase for all j = 1, . . . s together is 
{s-l)-{sd+ir + s-{'t')+s-OiCtf). 

5.8. Inhabitants for the types of external functions. Let fext be an external function. 
Since the function is external, its code is not present in our language. However, its first-order 
type may be available. We have to trust this type since we cannot check it. 

For inference of types of other functions that somewhere call fext; our testing procedure 
requires the possibility to evaluate within our language the code of the external function. 
Such code can be made available in our language by constructing an inhabitant of the type 

of fexf 

For our demonstrator, an alternative solution would be to create an actual external call 
for each occurrence of an external function. This may require more implementation effort 
within the demonstrator. The type inference procedure might take more time because the 
external function may require more time to execute than the generated inhabitants of the 
type. Therefore, we prefer to work with inhabitants (which yields the same size dependencies 
as using external functions directly). For reasons of modularity it might even be worthwhile 
to also create inhabitants of internal functions (e.g. in the case of using an interface to a 
huge, time intensive library). 

Below, we show how to construct in our language a function f which is an inhabitant of 
a given type of an external function. It is not necessary to demand that f and the external 
function are equal as set-theoretic maps. They must have the same size dependency, i.e. 
the same type. 

Let fext have the type L„(a) Lp(„)(a). We define the body of f by the following 
program expression: 

match / with | nil =^ nil 

I con5{hd,tl) ^ ger\(hd, p(p)(length(/)) ) 
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Now we explain the subexpressions in the nil- and cons-branches. In the nil-branch the 
expression returns the empty list. This is the only choice, due to the following "folklore" 
property (which to our knowledge was not published earlier). 

Lemma 5.5. Any total polymorphic function g : L(a) L(a) maps the empty list to the 
empty list. 

Proof. We prove this property using the "free" theorem map(a) o = g^i o map(a) from 
[Wad05| . which holds for all a : a ^ a'. Here map : (a — > a') —>■ L(a) —>■ L(a') lifts 
a to lists, and ga denotes the instantiation of g with type a. Suppose the opposite: ga 
sends nil to [hd . . . stop], and ga' sends nil to [hd' . . . stop']. Then map(a) o g^ sends nil to 
[a{hd) . . . a{stop)] and g^' ° map(a) sends nil to [hd' . . . stop']. It is not the case that for all 
a one has a{hd) = hd'. □ 

It is a routine exercise to extend this "property for free" to nested lists. 

In the cons-branch we use a straightforwardly defined function gen(z, x) : a x Int — > 
L(a) that outputs a list of z-s of length a; if x is non- negative and does not terminate 
otherwise. We also use a function generator p, that given a polynomial p, generate a 
function definition p{p) : Int — > Int such that p{p){n) = p{n). It is easy to see that for 
any non-empty list / of length n the composition gen(hd, p(p)(length(/))) terminates if fext 
terminates. It follows from the fact that if fext terminates on / then p{n) > 0, since p{n) is 
the length of the corresponding output. 

6. Conclusion and Further Work 

We have presented a natural syntactic restriction such that type checking of a size-aware 
type system for first-order shapely functions is decidable for polynomial size expressions 
without any limitations on the degree of the polynomials. 

A non-standard, practical method to infer types is introduced. It uses run-time results 
to generate a set of equations. These equations are linear and hence automatically solvable. 
The method terminates on a non-trivial class of shapely functions. 

6.1. Further work. The system is defined for polymorphic lists. Recently, it has been 
shown [TaShvEOSj how to extend the system to ordinary inductive types (no nested induc- 
tive definitions). 

An obvious limitation of our approach is that we consider only shapely functions. In 
practice, one is often interested to obtain upper bounds on space complexity for non-shapely 
functions. A simple example, where for a non-shapely function an upper bound would be 
useful, is the function to insert an element in a list, provided the list does not contain 
the element. At present we have been studying checking and inference of size annotations 
in the form of collections of piecewise polynomials that represent at least all possible size 
dependencies. For instance, insert is annotated with {p{n) = n + i}o<j<i, and delete is 
annotated with {p{n) = f^— i}o<j<i. Such collections may be potentially infinite, like in the 
case of recursive application of insert with {p{n, m) = n-|-i}o<j<m- Here, involvement of real 
arithmetic is inevitable in type checking. As for inference, when one is interested in strict 
("principal type") and polynomial lower and upper bounds, pmin and Pmax respectively, it is 
possible to extend our testing procedure to obtain them. Then, one checks the hypothesis 
in the form {p^in + ^}o<i<(p„ax-p^in)- 
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We plan to allow both unsized integers and adding non-trivial sizes to integers. The size 
of a non-negative sized integer is taken to be its value. This allows to type such functions 
as init : Int" — s- L„(lnt), which on the integer n outputs the list of 1 of length n. With 
sized integers one can type such function definitions without introducing dependent types. 
Hence, the decision how to add sizes to integers is connected to the problem of using sized 
and non-sized types within the same system. We leave it for future work based e.g. on 
|VasHam03j and |JaySek97| . 

Addition of other data structures and extension to non-shapely functions will open the 
possibility to use the system for an actual programming language. 

Application of the methodology to estimate stack and time complexity is considered as 
a topic for future projects. 
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Appendix: auxiliary lemmata for soundness proof 

Lemma 6.1 (A program value's footprint is in the heap). TZ{h, v) C dom{h). 

Proof. The lemma is proved by induction on the size of the (domain of the) heap h. 
dom{h) = 0: Then no £ G dom{h) exists and 7l{h, v) = 0. 

dom{h) 7^ 0: v = c or v = NULL: Then 7l{h, v) = 0, which is trivially a subset of 
dom{h). 

V = I and dom{h) = {dom{h) \ {£}) U {I}: From the definition of TZ we get lZ{h^ I) = 

{£} u n{h\ 

dom{h)\{e}j hd.hd) U Tl{h\dom{h)\{e}i h.l.tl). Applying the induc- 
tion hypotheses we derive that 7?.(/i|^o^(/j)\{£-}., h.l.hd) C dom{h\^Q^(^fi-^\^£j) and 
T^{h\dom{h)\{e}, h.£.tl) C dom{h\dom{h)\{e})- Hence, 7^(/t, /) C dom{h). 

□ 

Lemma 6.2 (Extending a heap does not change the footprints of program values). // 
i ^ dom{h) and h! = h[l.h.d := Vhd, -^-tl := v^i] for some Vi^i, Uti then for any v ^ i one 
has TZ{h, v) = TZ{h' , v). 

Proof. The lemma is proved by induction on the size of the (domain of the) heap h. 

dom{h) = 0: Since h' = [£.hd = ■Uhd,-^-tl := '"ti] and v £we have v {£} = dom{h'). 

Therefore, 7^(/^, v)=% = n{h' , v). 
dom{h) 7^ 0: We proceed by case distinction on v. 

v = coY v = NULL: Then, 7^(/^, v) = % = n{h', v). 

V = £': li £' ^ dom{h), then due to £' £ we have £' ^ dom{h) as well and 
n{h, v) = 9 = n{h', v). 

Let £' G dom{h). From the definition of TZ we get 

7^(/^, t) = {£'} u n{hUom(hm'}, h.£'.\id.) u n{hUom{hm'}, h.£'.t\). 

Due to h'{£') = h{£') and 

h'\dom{h')\{i'} = h\dom{h)\{i'}[^-'^^ '■= l^d, ■^•tl := Vtl], 

and the induction assumption one has 

'^{h\dom{h)\{e'}, h.£' .hd) = TZ{h'\dom{h')\{£'}, h'.£'.hd) 
'^{h\dom{h)\{e'}, h.t.tl) ='R,{h'\j_om(h')\{e'}^ h'.t.tl) 

So, 

n{h', £') = 

= {£'} U 7^(/^'|rf„„(;,,)\{^,}, /I'.f .hd) U 7^(/^'|do™(/,')\{^'}' h' .£' .t\) = 

= {£'} u n{hUom{h)\{e}, h.e.Yid) u nihUornihm'}, h.£'.ti) = 

= n{h, £'). 

□ 
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Lemma 6.3 (Extending heaps preserves model relations). 

For all heaps h and h' , if h'\^gjn{h) = h then v w implies v |=^, w. 

Proof. 

The lemma is proved by induction on the structure of t* . 

T* = Int: In this case, u is a constant c and w = c, hence v |=^1 w by the definition. 
T* = L„. (r*'): We proceed by induction on n*. 

n* = 0: In this case, v = NULL and w = D, hence v \=!^, w by the definition. 
n* = m* + 1: By the definition v is a location £ and £ |=f* w^d ■■ w^ti for 

some u;hd and w-ti such that 

i G dom{h), 

I, v. J I fAdom(h)\{e} 

h.e.hd \=^., Whd, 

We want to apply the induction assumption, with heaps ^|dom(h)\{^}i ^'ldom(/i')\{£} 
(as "/i" and "/i"' respectively). The condition of the lemma is satisfied because 
h'\ I 

\<iom{h')\{£}\dom{h\aom(h)\{e}) 
= h \dom{h')\{i}\dom{h)\{i} 
= h'\dom{h)\{e} = h\dom{h)\{e} 

Thus, we apply the induction assumption and with h.£ = h'.i obtain 
i e dom{h'), 

h'.Lhd ^^ll'^-'-c^ovf^} ^^^^ 
Then, £ |=[^' / .a w^d :: Wti by the definition. 

□ 

Lemma 6.4 (The model relation for v depends only on values in the footprint of v). 
For V, h, w, and t* , the relation v \=^» w implies v \='^^J^'^^' w. 

Proof. The lemma is proved by induction on r*. 

r* = Int: By the definition, is a constant c and thus w = c. Then v ^^i'^'''' w. 
T* = L„.(t'): We proceed by induction on n* . 

T* = Lo(t"): By the definition v = NULL and w = [}. Then v 1=^1''^^''' w. 
T* = L„i«+i(T*'): By the definition v = i. Then I ^ i(t»') ^ means that 
w = tt^hd Wti for some Whd and iDti, and 
£ G dom{h), 

U /I X.J1 I ^\dom(h)\{e} 

h.i.hd \=^., Wbd, 

h.i.ti 

We apply the induction assumption, with the heap /i|dom(/t)\{^}- 
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i G dom{h), 

Due to ^(/iUom(/i)\{^}) /i-^-hd) C dom(K) \ (lemma [GTTI) we have 

^ldom{/i)\{<?}k(/i|do„(h)\{^}, h.^.hd) = 

= ^l7?.(/l.|dom{h)\{<?}: /l-^-hd) = 

= ^\'^{HioMK)\{t}. ft.^.hd)\{<?}- 

Similarly /i|dom(ft)\{£}k(h|rf„„(^\{,j, h.^.ti) = fc.f.ti)\{n- 

Due to £ € 7^(/i, and lemma [63] - with 'Tt(h\dom{h)\{i']^ h.i.iid) \ {£} C 

7^(/^, /li.hd) \ {^}, we have 

£ G dom{h'ji(^h, e)), 

7 1 /) . -, I '^I'Tlfh, h.«.hd)\{«} 

h\TZ(h, Fl„.{t«') ^ti 

Thus, £ hi^^l^ll.,) Wi,a--wti. 

□ 

Lemma 6.5 (Equality of footprints implies equivalence of model relations). 
Ifh\n{h, v) = h'\n{h, v) then v \=^. w implies v \='f. w. 

Proof. Assume v \=^, w. Lemma 16.41 states that this implies v ^^i^*''' w. Assuming 

h\n{h, v) = h'l-TK^h, v) we get v \=^.'^^'"' w. Since dom{h'\Ti{h, v)) = dom{h\',^(h^ ^)) = 
lZ{h, v) we have h'\ciom,(h'\^^^ = h'l-jK^h, v) aiid we may apply lemma [Ol which gives 

Lemma 6.6 (Extending a store preserves the validity of the store). 

Given a ground context T* , store s, heap h, value v, a set of variables vars and a variable 
X ^ vars, s.t. x dom{s), one has 

Validstore{vars.,T* .,s[x := v],h) Validstoreivars,T* , s, h) 

Proof. The lemma follows from the definition of Validstore- D 

Lemma 6.7 (Weakening for valid stores). 

Given a set of variables varsi, ground context V , stack s, and heap h, for any set of 
variables vars2 such that such that vars2 ^ varsi one has 

Validstoreii^cirsijT* , s, h) =^ ValidstoreivO''''S2,T' , s, h) 

Proof. The lemma follows from the definition of Validstore- CH 

Lemma 6.8 (Validity for the disjoint union of sets of variables). For any store s and a 
ground context T* one has 

Validstorei'i^O'rsi U vars2, T*, s, h) <^=^ Validstore{varsi,T* , s, h) A Validstore{vars2,T* , s, h) 
Proof. The lemma follows immediately from the definition of a valid store. □ 
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